you're talking about the username and password for the mysql user, right?
i don't know how good this is, but i'm happy with it. i have a php file outside DOCUMENT_ROOT that includes a define()s with username, password, hostname, and database name for mysql. i change the permissions to 600 so nobody else on the shared server can read the file, and it's already inaccessible through http since it's not under DOCUMENT_ROOT. i simply require_once() that file, then use the names defined in it when connecting. it looks something like this:
mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS);
also, the file with the defines is named starting with a dot so it's hidden, and the file with mysql_connect is also stored outside DOCUMENT_ROOT.
track7 - my dream-hosted site